Data Protection Act 1998 Data Protection Subject Access Request Procedure

Transcription

1 Data Protection Act 1998 Data Protection Subject Access Request Procedure This documented procedure aims to ensure that the Authority is prepared to receive data subject access requests and process the requests according to the Legislation and within the 40 calendar day deadline date. The following procedure has been put together to ensure that anyone within Doncaster Borough Council knows what to do when they receive a request for personal information under the Data Protection Act 1998 Legislation. It is acknowledged that customers may have diverse needs when accessing written data due to disability or other issues. The procedure refers to some of these circumstances but if there are exceptions that fall outside what is prescribed there is an assumption of promoting accessibility. Discussions about individual requirements may be needed and adjustments made where these are reasonable and equitable with other customers. The procedure will be split in to 5 distinct areas: How requests are handled How information is searched for What is done with the files How the information is released Complaints/Appeals History of the procedure: Version Date of issue Reason for revision 1.0 September 1999 Initial issue 1.1 October 1999 To reflect comments on initial issue 1.2 January 2000 To reflect comments at DPSG 20/10/ June 2000 To specify cheque payee details and reflect feedback from Yorks. And Humber Group 1.4 November 2001 Modify guidance and include new forms for CCTV subject access requests Version 1.4 November April 2009 To include new DP Appeal/Complaint procedure 1.6 November 2009 Updated to make the process easier for staff and customers to follow Version December 2012

2 1.7 January 2012 Updated to take in to consideration disabled customer and foreign customer requests. 1.8 December 2012 Updated contact details for the Data Protection Officer How Requests are Handled Requests will normally be made in writing, either by mail, fax or . In some circumstances, for example when a customer has difficulty writing due to their physical, sensory or learning disabilities or other condition, the request can be made in another way to ensure an accessible service. This will usually be verbally (either via the telephone or in person) or may in the case of a deaf person be via a British Sign Language interpreter or BSL DVD. In the circumstances where a customer finds it difficult to express in words their specific request, a member of staff may aid the customer to write this. Verification by the customer that this is what they are requesting is needed. This will either be via posting out a copy of the request to them with an SAE for signature and return or by the requester verifying in person. If print (or large print) is not an accessible format consideration will need to be given to other means of verification e.g. the document read/signed back to them before the customer is asked to sign or mark the written copy. If a customer s first language is not English, the Council will aim to provide a translation service to ensure the customer s needs are met. All requests for personal information received directly by a Team/Department must be forwarded to the Data Protection Officer either by hand to Floor 1, Civic Office or by dataprotection@doncaster.gov.uk Please do not send the request through the internal post without first ing it. The request will be logged by the Data Protection Officer who will assess whether further information and/or identification is needed from the customer and whether a Subject Access Request Verification Form is to be sent out. If the request is valid and satisfactory the Data Protection Officer will acknowledge the customer s request advising them of the 40 calendar day deadline date. The Data Protection Officer will ask the customer within the acknowledgement whether there are any special requirements for viewing/accessing the information from the Council, any requirements highlighted will be passed on to the Team. Version December 2012

3 If it has been necessary to send the Subject Access Verification document the 40 calendar day deadline date will be revised when this document has been received by the customer and it is felt that the request is now satisfactory. The Data Protection Officer will contact the Department, pass on the additional information and advise them of the revised deadline date. The Data Protection Officer will contact the Team on the 20 th and 30 th calendar days to ensure that progress is being made and to ensure that the prescribed deadline date is not exceeded. The following standard letters are provided by the Data Protection Officer to aid with Subject Access Request: Third Party Authorisation Request This letter is to be used if third party information is contained within the file/documentation i.e. information provided by a third party (G.P., Hospital, Police) or if a third party is mentioned. The Data Protection Officer will send out and receive the response and will pass on to the Team whether or not consent has been received to release the information. No Data Found This letter is only be sent out once a full and extensive search has been carried out. Invite to View This letter will be used to invite the customer to the Team s office to view their information. Response Letter This letter must be sent out with any documentation found. The letter gives the customer further details if an unsatisfactory response is received. Refusal to Disclose This letter can only be sent when using a relevant exemption under the Data Protection Act, this exemption must be fully explained within the response. If the request is for a deceased person s information then the request must be passed on to the Freedom of Information Officer, Floor 1, Civic Office by FOI@doncaster.gov.uk who will respond directly to the customer. The Data Protection Officer will have no further dealings with this request. Version December 2012

4 How Files are Searched for The Team carrying out the search must ensure that all paper and computerised systems are thoroughly searched. If more information is needed to enable the search the Team must contact the Data Protection Officer without delay who will, again, contact the customer for that information. The 40 calendar days will stop until a satisfactory response has been received. Once this has been received the 40 calendar days will start again and a new deadline date will be provided to the customer and the relevant Team. If more than 1 Team is searching for information then the Data Protection Officer will co-ordinate the response and collect all the information that is to be released. In the first instance, the customer is to be invited in, that appointment must be within the 40 calendar days, however, if that date and time is inconvenient to the customer a further appointment is to be made at their convenience. The customer can request that the information is sent out, if this is the case then this must be done using a secure method, this will be by 1 st Class Recorded Delivery. In some instances it may be felt that it would be in the customer s best interests to view the information with a member of staff, each decision is to be taken on a case by case basis. If no information can be found this must be established as soon as possible and let the Data Protection Officer will inform the customer. What is Done with the Files Any information that is found must be gone through by a suitably skilled person who will redact any third party information (unless consent had been given to leave that information in, see next bullet point). Advice on the redaction process should be sought from the Data Protection Officer, if required. The Data Protection Officer will contact any third parties who have provided information (i.e. GP, Hospital. Police etc.) for consent to disclose their information. If no response is received from the third parties by the given deadline, then any information that is available must be provided by the 40 calendar day deadline date. A paragraph must be included in the response letter explaining that third party information has been withheld due to consent not being received. If the third party is a professional their contact details Version December 2012

5 will be passed on so the requester can approach them directly. Nonprofessional details will not be passed on. If the establishment that has provided the information no longer exists then the information could be released with consideration given to whether any distress or harm would result to the client or any other party. Once the information has been redacted, collated and third party authorisation obtained the information needs putting in to a file ready for the customer to view/receive. A copy of any correspondence and the file to be released must be taken and kept for 3 years in line with the Data Protection Subject Access Request retention period. How is the Information Released The customer will be contacted by the Data Protection Officer offering appointment to come in to the office where the documents will be gone through with a suitably skilled person, ideally this will be with the person who collated and redacted the information. The customer is able to take away any of the copied documents that they feel are useful and, if necessary, in a format that is that allows them access to the information. The customer will have been asked to identify any special requirements for access in the initial acknowledgement. If the client is to be invited in to view their file, this appointment must be made within the 40 calendar day deadline. The Data Protection Officer will send the invite out. If the documentation is ready for viewing prior to the deadline date but the client cannot attend before that date the request will not breach. If requested, the client s documents will be posted out using a secure method of posting this will be 1 st First Class Recorded Delivery, responses to requests must not be sent via . Once the information has been released the Department must inform the Data Protection Officer know so that they can close the request. Complaints/Appeals If the customer is dissatisfied with the information that has been provided they have a right to complain/appeal to the Data Protection Officer. This information is provided on the standard response letter. If a complaint/appeal is received the Data Protection Officer will forward this through to the relevant Head of Service who will allocate the request Version December 2012

6 accordingly. The Data Protection Officer will acknowledge the customer and advise them and the Head of Service of the deadline date, which, again, is 40 calendar days. The procedure followed is the same process for the original request but ensuring that all paper and computerised systems are extensively searched again. If any information or further information is found this must be sent out using the relevant standard letter. Please make every effort to find the information that is being requested as the customer has the right to go straight to the Information Commissioner s Office if they feel that their request has not been handled in a way described in the Data Protection Act 1998, this may result in the Information Commissioner contacting Doncaster Borough Council s Chief Executive. Version December 2012